Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication and reporting protocol that improves email security within federal agencies.
This protocol is mandated by the U.S. Department of Homeland Security (DHS) and was implemented at the U.S. National Science Foundation in October 2018.
Why is it important that I know about DMARC?
DMARC enables agencies like NSF to verify that an email was sent from a trusted source rather than from bad actors such as spammers, hackers or phishers.
Since NSF's implementation of DMARC, the agency has observed that some external organizations or individuals use email routing practices — such as auto-forwarding to personal accounts — that cause messages to be flagged as potentially fraudulent by the required DMARC protocols and blocked from distribution.
It is important for you to know that if your email is auto-forwarded to another account, such as a personal email account, you may not receive emails from NSF in that forwarded account.
What exactly is DMARC?
DMARC is comprised of protocols inserted into an organization's IT systems to prohibit the illegitimate use of organization email. These protocols authenticate emails to ensure they are coming from a valid source.
Certain email practices such as using services authorized to send messages on behalf of an organization (such as Constant Contact, GovDelivery or Amazon SES) or auto-forwarding emails to secondary (non-organization) email accounts can impact message delivery, as bad actors such as hackers may use similar practices.
How do I know if I am impacted by DMARC?
If you have been receiving NSF emails, nothing needs to be done.
If the email account at your organization or institution is configured to automatically forward emails to a third-party email service provider, such as Google or Yahoo, it is possible that NSF emails are not being delivered to your third-party email address. Messages that are manually forwarded are not impacted. Please verify that you are receiving NSF emails in your primary organization/institution mailbox.
If you have not received emails sent by NSF, please contact your sponsored research office (SRO) so they are aware that you and others at your organization may be impacted. Please also contact the email administrator in your IT department to tell them about your issue and ask them to confirm that current email configurations are compatible with DMARC.
Note that factors other than DMARC configurations can impact email delivery, including mistyping email addresses, spam and reputation filtering utilized by email providers.
Who can I contact at NSF if I have more questions?
If you have additional questions, please contact the IT Service Desk, whose hours of operation are 6:00 a.m. to 7:00 p.m. Eastern time:
Email: ITServiceDesk@nsf.gov
Phone: (703) 292-HELP (x4357) or (800) 711-8084
Additional resources
Visit the DHS Cybersecurity and Infrastructure Security Agency's webpage on Binding Operational Directive 18-01: Enhancing Email and Web Security.